Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-22884

Good to know:

icon

Date: March 3, 2021

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Language: C++

Severity Score

Related Resources (18)

https://www.oracle.com/security-alerts/cpuApr2021.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4FRS5ZVK4ZQ7XIJQNGIKUXG2DJFHLO7/
https://security-tracker.debian.org/tracker/CVE-2021-22884
https://nvd.nist.gov/vuln/detail/CVE-2021-22884
https://hackerone.com/reports/1069487
https://security.netapp.com/advisory/ntap-20210723-0001/
https://people.canonical.com/~ubuntu-security/cve/CVE-2021-22884
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F45Y7TXSU33MTKB6AGL2Q5V5ZOCNPKOG/
https://access.redhat.com/security/cve/CVE-2021-22884
https://security.netapp.com/advisory/ntap-20210416-0001/
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/#node-js-inspector-dns-rebinding-vulnerability-cve-2018-7160
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
https://security.alpinelinux.org/vuln/CVE-2021-22884
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HSYFUGKFUSZ27M5TEZ3FKILWTWFJTFAZ/
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.mend.io/vulnerability-database/CVE-2021-22884

Severity Score

Top Fix

icon

Upgrade Version

Upgrade to version 15.10.0, 14.16.0, 12.21.0, 10.24.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us